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1. Introductions and apologies 


1.1. There were no apologies received in advance of the meeting. 
However, Sid Sidhu and Robert Buysman had experienced 
technical difficulties when dialling in and were unable to 
participate in the meeting. 


2. Declaration of interests 


2.1 There were no declarations made. 


3. Matters arising from the previous meeting 


3.1 The minutes of the previous meeting were agreed. 


3.2 


Chris Braithwaite provided an update on the outstanding 
actions. 


4. Deputy Chief Executive Officer’s update 


4.1 


4.2 


Paul Arnold provided an update on matters relating to the 
Committee’s work including business continuity and how the 
ICO has managed the recent Covid-19 situation. He paid 
tribute to the Business Continuity Team, who had managed 
the situation both in preparation and execution of the 
business continuity plan. 


Elizabeth Denham thanked Paul Arnold for his management of 
the Business Continuity Team. She also explained that 
throughout the meeting she would welcome any advice or 
recommendations from the Committee on mitigating the risks 
that are now facing the ICO. 


5. Risk and opportunity management 


5.1 


5.2 


5.3 


5.4 


Risk Register 


Louise Byers presented the latest version of the ICO’s 
corporate risk register, which has recently been reviewed in 
context of the ICO’s risk maturity programme and Covid-19. 
In addition to reviewing the risk register, the Committee was 
also asked to review the risk appetite statement in the 
context of Covid-19. 


Ailsa Beaton commented that the Committee had previously 
discussed risk scenario planning, and that approach would be 
helpful at the current time, as it was likely that a number of 
risks may materialise at the same time. 


Jane McCall highlighted that there could be issues in the 
future relating to paused projects and the ICO would need to 
look at the impact of future waves of the virus. 


Louise Byers confirmed that workstreams were in place to 
help the ICO move away from business continuity to new 
ways of working. 


5.5 The Committee agreed that the risk appetite in the current 
environment should be discussed by the Management Board 
at the meeting in May. 


Deep Dive into Information Disclosure 


5.6 Paul Arnold presented the report providing the results of the 
deep dive into R73 and the compliance culture within the ICO. 


5.7 The report demonstrated that there was a healthy reporting 
culture within the ICO and although there had been an 
increase of incidents, there had been significant growth in the 
workforce, and the demand for ICO services had also 
increased at a greater rate. 


5.8 Roger Barlow asked whether there was an increased risk of 
disclosure in relation to Covid-19 and remote working. The 
Committee agreed that continuing the work to raise 
awareness of information security during homeworking would 
be beneficial. 


5.9 Louise Byers confirmed that communications had been sent 
out to staff highlighting the security risks under the current 
circumstances. 


5.10 Ailsa Beaton commented that sensitivity of the information 
disclosed should be taken into account to the severity of the 
disclosure, not just the numbers involved. Louise Byers 
confirmed that the sensitivity and the nature of the 
information, as well as the quantity, was reflected in the 
assessment. 


6. Finance 


Management Accounts 


6.1 Andrew Hubert provided an update on the accounts for year- 
end which showed a budget surplus, caused in main by a 
significant growth in the Data Protection Register income. 


Covid-19 High Level Financial Impact Assessment 


6.2 The Committee considered a report which had been sent to 
DCMS, regarding the anticipated financial assistance required 
going forward due to Covid-19. 


7. Annual Report 


7.1 


7.2 


Louise Byers confirmed that the ICO was on track with the 
original timescales to produce the Annual Report and 
meetings are being held on a bi-weekly basis. 


David Eagles confirmed that the external audit was continuing 
to the original timetable and did not currently anticipate any 
significant impact to the audit due to Covid-19. 


Action: Comments on the draft annual report to be sent 
to Louise Byers. 


8. Internal audit 


8.1 


8.2 


8.3 


8.4 


8.5 


Progress Report 


Gary Stewart presented the progress report and confirmed 
that the follow-up audit was yet to be finalised, as this has 
been impacted by Covid-19. 


Internal Audit Reports 


Darren Jones confirmed that the most recent internal audits 
into Third Party Service Providers, Payroll and Freedom of 
Information all resulted in ratings of substantial assurance. 


Ailsa Beaton stated that this was a very pleasing and positive 
result. She requested that the deadline dates for the 
recommendations be brought forward from December 2020 
where possible. This was particularly applicable to the payroll 
audit. 


Action: Chris Braithwaite to facilitate audit 
recommendation owners reviewing the deadline dates, 
to bring these forward wherever where possible. 


2020/21 Audit Plan 


Gary Stewart confirmed that Mazars will be more agile in their 
approach to assignments this year and was currently looking 
to carry out audits remotely. The areas suggested in the 
Audit Plan are still reasonable under the current situation. 


The Committee recommended that the Fees and Income Audit 
be brought forward due to the current situation. 


Action: Chris Braithwaite and Mazars to bring forward 
the Fees and I ncome Audit. 


9. Outstanding Audit Recommendations 


9.1 Chris Braithwaite presented the outstanding audit 
recommendations. He explained that the outstanding project 
management actions would be covered under the Covid-19 
projects currently being developed. 


10. External Audit Update 


10.1 David Eagles confirmed that the audit was currently on track 
and will be run remotely. 


11. NAO Guidance for Audit Committee 


11.1 There were no new publications at the time of meeting. 


Action: Chris Braithwaite to circulate any guidance 
published in the coming weeks and include this on the 
agenda at the Committee’s next meeting. 


12. Cyber Security Standards 


12.1 An report was provided to the Committee which confirmed 
that all outstanding actions to achieve all of the government's 
minimum cyber security standards had now been completed. 
This remained an active area of work for the IT and Cyber 
Security teams, to ensure that the ICO continued to go 
beyond the minimum standards. 


12.2 Ailsa Beaton thanked the team for this report and the good 
work done to achieve all of the standards. 


13. Security Report 


13.1 The Committee agreed that as the ICO moved into the new 
ways of working, it was important to capture new security 
risks that may arise. Louise Byers confirmed that 
communications were being sent to staff with regard to 
suspicious emails and unauthorised disclosures via email. 


13.2 Roger Barlow highlighted that market sensitive information 
could be equally as important as personal information when 
assessing the severity of an incident. Louise Byers explained 
that the ICO was currently developing a market sensitive 
information policy, to assist staff with dealing with such 
information. 


14. Fraud, whistleblowing and security 


14.1 Jane McCall presented a report relating to a recent 


14.2 


14.3 


14.4 


14.5 


anonymous whistleblowing allegation, primarily relating to the 
assumptions and budget forecasts in relation to pay 
progression. This report had been prepared by Mazars’ 
Forensic Accountants, providing a totally independent 
investigation. Mazars’ investigation had found that the 
assumptions and forecasts which had been made at the time, 
with the information available, were reasonable. 


David Eagles commented that the projected costs could have 
been reflected as a provision, rather than an accrual. He 
explained that BDO would review this as part of their 2019/20 
audit, but noted that the amount involved was not material 
and therefore would not warrant a prior period adjustment. 


Ailsa Beaton also reported on the work that she had carried 
out to review the other parts of the whistleblowing disclosure, 
relating to the approach to and work of the pay consistency 
panel, including the appeals process. She had found that this 
process had been followed consistently and in line with the 
agreed policy. She had also found that there was no evidence 
to support the whistleblower’s allegation of coercive control. 


In conclusion, the Committee agreed with the findings that 
the allegations were unfounded and therefore exonerated the 
ICO managers who had been implicated in the allegations. 


The Committee discussed the appropriateness of the 
whistleblowing policy to consider anonymous disclosures. The 
Committee noted that while such disclosures needed to be 
permitted, but commented that the policy should be updated 
to make clear that anonymous disclosures would need to be 
supported by sufficient evidence to allow the recipient of the 
disclosure to investigate the disclosure. The Committee 
agreed that the policy should be reviewed, and should include 
an intermediate step in all disclosures to make clear that the 
recipient of the disclosure would triage a disclosure to 
determine whether sufficient evidence had been presented to 
warrant a full investigation. At this stage, the recipient may 
also consider whether disclosures may be vexatious and 
whether an investigation would be in the public interest. 


Action: Whistleblowing Policy to be reviewed in line 
with the recommendations. 


15. Single Tender Contract Awards 


15.1 There were no single tender contract awarded during the 
previous quarter. 


16. Audit Committee work programme 2020/21 


16.1 The work programme for the coming year was presented to 
the Committee for review and comment. 


16.2 Chris Braithwaite reported that the risk appetite would be 
presented to the Committee on an annual basis, but any 
changes to this appetite would be subject to approval by 
Management Board. 


17. Any other business 


17.1 There were no issues raised. 


